Bosses love excel, hackers too

Bosses love Excel …

hackers too!Juan Garrido “Silverhack”

Chema Alonso (@chemaalonso)

INFORMATICA64.COM

Who?

About

• Working at INFORMATICA64.COM• http://www.informatica64.com

What?

Terminal Applications

Why?

RDP

Citrix

Using Bing

Goverment Sites

Goverment Sites

Secure?

Verbosity• Conf -files are too verbosity–Internal IP Address–Users & encrypted passwords–Internal Software–Perfect for APTs• 0-day exploits• Evilgrade attacks

Verbosity

Verbosity• Attacker can:–modify conf files–Generate error messages–Fingerprinting all software• Example: C.A.C.A.

Terminal Services• Remoteapplicationmode–0 -> Desktop–1 -> Only App

• What app?–Alternate Shell (RDP < v 6.0)–RempoteApplicationProgram (RDP v 6.0++)

Terminal ServicesError Messages

Computer Assited Citrix Apps

Playing the Piano

Playing the Piano• Too many links

–Specially running on Windows 2008

• Too many environment variables–%SystemRoot%–%ProgramFiles%–%SystemDrive%

Window Server 2008 wants to help you!! (anytime!)

Playing the Piano• Too many shortcuts

– Ctrl + h – Web History– Ctrl + n – New Web Browser– Shift + Left Click – New Web Browser– Ctrl + o – Internet Addres– Ctrl + p – Print– Right Click (Shift + F10)– Save Image As– View Source– F1 – Jump to URL…

Playing the Piano

• Too , Too , Too many shorcuts:–ALT GR+SUPR = CTRL + ALT + SUP–CTRL + F1 = CTRL + ALT + SUP–CTRL + F3 = TASK MANAGER

• Sticky Keys

Easy?

Demo Servers

Paths?

Minimun Exposure Paths

• There are as many paths as pulbished apps• Every app is a path that could drive to elevate privileges• Complex tools are better candidates

• Excel is a complex tool

Bosses love

EXCEL

VBA

Excel 1:

The power of VBA

Software Restriction Policies

• Too many consoles–Cmd.exe–Windows Management Instrumentation–PowerShell–Jscript–Cscript..–….

Software Restriction Policies

• Forbidden apps–Via hash–Via path

• App Locker–Using Digital Certificates

• ACLs

Software Restriction Policies

• Too many consoles,–(Even frOm other OS)–Reactos….

Excel 2

forbidden Consoles

Security Policesfor Excel Macros

1) Disable VBA- Secure but it´s not REAL

Excel2) Security for macros

- No macros- signed macros- Case by case - All macros

Excel 3No

macros!

Excel 4

Only Signed-macros

Risky?

Start the III World War

• Find a bug in a DHS Computer• Trust in your Rogue CA• Generate an attacking URL in the

CRL (attacking China, for example)• Sign an excel file with your rogue

CA• Send a digital ly-signed excel file

to someone relevant!

Something like…

Just kiddin

g

Solutions• Re-evaluate your Remote App

connections• No alerts at all in Excel (and all the

rest of apps you publish)• No trusted locations in user-

profiles• No shared remote users• Trust in nobodoy…• Sorry, not even in nobody

How may paths do you have?

• TS Web Access–Hidden means not-removed

Contact information

• Juan Garrido “Silverhack”– [email protected]–http://windowstips.wordpress.com

• Chema Alonso–[email protected]–http://www.elladodelmal.com –@chemaalonso

• http://www.informatica64.com

Special Thanks to

• Didier Stevens– http://

blog.didierstevens.com/2010/02/04/cmd-dll/

• Shanit Gupta– http://

www.blackhat.com/presentations/bh-usa-08/Gupta/BH_US_08_Gupta_Got_Citrix_Hack_IT.pdf

• PDP– http://

www.blackhat.com/presentations/bh-europe-08/Petkov/Presentation/bh-eu-08-petkov.pdf

?